Native iOS MDM

iOS Mobile Device Management Security
By

Apple’s native iOS mobile device management architecture enables over-the-air provisioning, control and monitoring of remote iPhones and iPads in real-time.

By 2010, IT could manage iOS 3 devices from afar by combining profiles with third-party Mobile Device Management (MDM) agents. However, users had to install MDM agents, and sandboxing, multi-tasking, and API restrictions severely limited what those agents could do. Fortunately, Apple baked native MDM right into the operating system in iOS 4. By working with Apple under NDA, authorized MDM vendors were permitted to plug their products directly into this native MDM API.

Using APNS As a Trusted Broker

Apple’s architecture relays all MDM requests through Apple’s own Push Notification Service (APNS). When any MDM server wants to communicate with an iPhone or iPad, it sends a notification via APNS, prompting the device to check in. Upon receipt, that iPhone or iPad opens a TLS connection to the MDM server, which can be inside a corporate network or out in a public cloud. The server then uses that connection to deliver profiles, query device attributes, or invoke IT actions such as wiping a lost device.

APNS plays a critical role by relaying notifications from authorized MDM servers only. To deter API misuse, each MDM server must be issued its own Apple-signed digital certificate. When iOS 4 was released, each business or service provider that wanted to use MDM had to join Apple’s iOS Developer Program to get a certificate. With iOS 5, Apple established a process to issue free certificates to MDM customers: (1) generate a Certificate Signing Request, (2) have your MDM vendor sign it, then (3) visit the Apple Push Certificates Portal to get your own APNS certificate to manage your company’s devices (below).

Apple Push Certificates PortalApple Push Certificates Portal

Leveraging Native MDM APIs

Many third-party MDM vendors now use Apple’s native MDM APIs, including AirWatch, Boxtone, Fiberlink (illustrated here), McAfee, Mobile Active Defense, MobileIron, Odyssey Software, SOTI, Sybase, Symantec, Tangoe, Ubitexx, and Zenprise. Apple’s APIs lay a uniform foundation for what these MDMs can do. Specifically:

  • Every MDM offers administrator and/or user-initiated processes for over-the-air enrollment of iOS 4 or iOS 5 devices, including user authentication, device certificate generation via the Simple Certificate Enrollment Protocol (SCEP), and explicit user approval to place the device under MDM control (illustrated below).

Simple Certificate Enrollment Protocol Simple Certificate Enrollment Protocol

  • Once a device is enrolled, over-the-air configuration occurs via Configuration Profiles. Syntactically, these are the same as those generated by Apple’s iPhone Configuration Utility. As such, they can carry all the same attributes; files can even be signed and encrypted to stop copying or tampering. MDM just wraps profiles inside a scalable workflow, letting IT more easily push, update, and remove Configuration Profiles for large workforces, driven from an IT-friendly console.
  • Similarly, MDM can be used to list, install, and removed managed application packages, along with Application Profiles to enable them, and (new in iOS 5) volume-purchased licenses required to use some commercial apps.
  • Enrolled devices can be queried for a lengthy list of MDM-supported attributes, from iOS version, model, device IDs, hardware capabilities, and network properties to installed configuration profiles and applications.
  • Finally, MDMs can relay a select few actions through APNS: device lock, clear passcode, device wipe, and remove MDM control.
Comments